North Korean government-backed hacking groups have exploited a recently discovered remote code execution flaw in the Chrome web browser, according to Google’s Threat Analysis Group (TAG) on Thursday.
Tracked as CVE-2022-0609, the vulnerability represents a use-after-free flaw in the browser’s Animation component, which was patched by Google on February 14th, 2022 as part of updates (version 98.0.4758.102).
The details in the report reveal that the campaigns targeted US-based organizations in the news media, IT and cryptocurrency, and fintech industries. One set of activities shared direct infrastructure overlaps with attacks on security researchers from the last year.
The exploit kit targeting the flaw was first used on January 4, 2022, according to Google TAG researcher Adam Weidemann. According to the report, it is dubbed that these groups are all part of the same organization, but each has a different mission and uses different techniques to accomplish it.
According to Google TAG, which discovered the campaigns on February 10, the threat actors made use of several safeguards, including AES encryption, designed explicitly to obscure their tracks and hinder the recovery of intermediate stages.
In August 2020, an Israeli cybersecurity firm, ClearSky, described a campaign called “Operation Dream Job”, which targeted 250 people working for ten different news organizations, domain registrars, web hosting providers, and software vendors with fake job offers from companies like Disney, Google, and Oracle.
The tactic, where malicious payloads are distributed, is not new to the cybersecurity community. The Lazarus group, which is one of the main threat actors originating from North Korea, is long known for using such tactics. Earlier this year, the same group was detected impersonating American global security and aerospace firm Lockheed Martin by distributing fake job listings on its name.
More than 80 victims have been infected by a second attack campaign known as “Operation AppleJeus”, which exploited the same Chrome zero-day vulnerability to infect at least two legitimate financial technology websites.
Google TAG claims that the exploit kit is designed as a multi-stage infection chain by embedding attack code in hidden internet frames on compromised websites and rogue websites under their control. There have been also instances where fake websites hosting iframes and directing their visitors to the exploit kit were found, according to Weidemann.
Following a reconnaissance phase in which the targeted machines were fingerprinted, the remote code execution (RCE) exploit was served in order to retrieve a second-stage package that was designed to escape from the sandbox and carry out further post-exploitation activities.
Other browsers, such as Safari on macOS or Mozilla Firefox (on any operating system), were also checked for in order to redirect victims to known exploit servers. It has not been confirmed if these attempts have been successful or not.
It has been suspected that these two groups work for the same organization, and as a result, they are using the same exploit kit, but each has a distinct set of goals and uses a different set of tactics. Other North Korean government-sponsored hackers may have access to the same exploit kit.